Hacking (Old) Hacker News: Fun with Weak Passwords and Arc

When I was conducting my cloud password security research, I also looked at Hacker News. It's not a cloud application, but it does have pretty common password security qualities. It's also interesting because it's written in Arc (a Lisp dialect) and the code is available (for the old version from 2009).

When you create a Hacker News account you can create passwords which are 4 characters long without any restrictions on the password complexity. This mean that you can have a password that looks like 0000 or 1111. Sure, not everybody will use passwords like that, but there's a good chance that quite a few users will have pretty simple passwords. Even technical people are still people; people choose the easiest possible passwords (when they can), making it easy to conduct online password attacks.

What's interesting is that when you change your password, you are required to have at least 8 characters (still without any complexity requirements). The Arc source code shows that the length requirement used to be 4 characters. Time to look at the code to see what else might be there...

Here's the login code from app.arc:

(def good-login (user pw ip)
		  (let record (list (seconds)

The Sad State of Password Security in the Cloud

People are the weakest link when it comes to security. The cloud computing revolution brings new life to this age-old vulnerability. Cloud application users are exposed to many new attack vectors, but the security model designed to protect them is out of date. On top of that fundamental weakness many cloud applications have significant design and implementation flaws because user authentication and identity management seems deceptively simple: you identify a user based on a unique ID and you confirm the identity based on a secret password.

A lot has been written about passwords in general and about the weaknesses in many high profile Internet and cloud applications. The security compromises of Evernote, LinkedIn, Sony, Yahoo, Linode, eHarmony, Last.fm, Zappos, Nvidia, Gawker, Billabong, Android Forums, and Ubuntu Forums in the recent years bring new light to a very old problem: People choose weak passwords. They do it because it's easy and because they can. Discussions in the technical community tend to focus on the easy problems: using more appropriate hashing algorithms, using salts for password hashing, etc. Of course, keeping the password hashes safe and using slow hashing algorithms (with random salt values) is important. It would protect a lot